WordPress.org

Make WordPress Core

Changeset 40306


Ignore:
Timestamp:
03/20/2017 04:29:50 AM (2 years ago)
Author:
rachelbaker
Message:

REST API: Confirm the parent post object of an attachment exists in WP_REST_Posts_Controller::check_read_permission().

Avoid a PHP Error when attempting to embed the parent post of an attachment, when the parent post ID is invalid. Instead check if the parent post object exists before checking the read permission for the parent post.

Props GhostToast.
Fixes #39881.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r40122 r40306  
    12951295        if ( 'inherit' === $post->post_status && $post->post_parent > 0 ) {
    12961296            $parent = get_post( $post->post_parent );
    1297             return $this->check_read_permission( $parent );
     1297            if ( $parent ) {
     1298                return $this->check_read_permission( $parent );
     1299            }
    12981300        }
    12991301
  • trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php

    r39954 r40306  
    479479        $response = $this->server->dispatch( $request );
    480480        $this->assertEquals( 403, $response->get_status() );
     481    }
     482
     483    public function test_get_item_inherit_status_with_invalid_parent() {
     484        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array(
     485            'post_mime_type' => 'image/jpeg',
     486            'post_excerpt'   => 'A sample caption',
     487        ) );
     488        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) );
     489        $response = $this->server->dispatch( $request );
     490        $data = $response->get_data();
     491
     492        $this->assertEquals( 200, $response->get_status() );
     493        $this->assertEquals( $attachment_id, $data['id'] );
     494    }
     495
     496    public function test_get_item_auto_status_with_invalid_parent_returns_error() {
     497        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array(
     498            'post_mime_type' => 'image/jpeg',
     499            'post_excerpt'   => 'A sample caption',
     500            'post_status'    => 'auto-draft',
     501        ) );
     502        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) );
     503        $response = $this->server->dispatch( $request );
     504
     505        $this->assertErrorResponse( 'rest_forbidden', $response, 403 );
    481506    }
    482507
Note: See TracChangeset for help on using the changeset viewer.